In the era of the connected car, automakers and third-party developers compete to turn smartphones into vehicular remote controls, allowing drivers to locate, lock, and unlock their rides with a screen tap. Some apps even summon cars and trucks in Knight Rider fashion. But phones can be hacked. And when they are, those car-connected features can fall into the hands of hackers, too.

That’s the troubling result of a test of nine different connected-car Android apps from seven companies. A pair of researchers from the Russian security firm Kaspersky found that most of the apps, several of which have been downloaded hundreds of thousands or over a million times, lacked even basic software defenses that drivers might expect to protect one of their most valuable possessions. By either rooting the target phone or tricking a user into installing malicious code, the researchers say, hackers could use any of the apps Kaspersky tested to locate a car, unlock it, and in some cases start its ignition.

Ignition Remix

For now, the researchers have declined to name any of the specific apps they tested for fear they’d provide tips to car thieves. But they argue their work should send a message to the car industry in general to take connected car security more seriously. “Why don’t connected car application developers care about security as much as the developers of banking applications?” asks Kaspersky researcher Viktor Chebyshev. “They’re also controlling very valuable things for the user, but they’re not thinking about security mechanisms.”

The worst-case attack researchers found would allow a hacker access to the inside of a locked car; thieves would need other tricks to achieve a more serious outcome, like spoofing a key or otherwise disabling the car’s immobilizer, which prevents cars from being stolen. They point out that Tesla’s vehicles allow a car to be driven with only a smartphone app as an example of how compromising a phone could lead to more serious theft, though Tesla wasn’t part of their research.

The analysis mostly sticks to the apps themselves—researchers only tried the attacks on one of the affected car models. And they say they haven’t discovered any samples of Android malware in active use that pull off the tricks they describe. But they nonetheless argue that looking at the apps’ code alone shows how car thieves could exploit their features, and they point to limited evidence from hacker forums that the black market has already taken an interest. Screenshots of postings in those forums (below) show offers to buy and sell connected car app credentials including usernames and passwords, as well as PIN numbers and Vehicle Identification Numbers (VINs) for different makes and models of car. The going rate is hundreds of dollars per account. “Cybercriminals are preparing these attacks now,” Chebyshev says.

KasperskyKaspersky

The Kaspersky researchers outline three techniques for exploiting the Android apps they tested. (iOS is generally considered far more difficult to hack.) All but one of the apps, for instance, stored the associated username, password, or both in an unencrypted form in the phone’s storage. By rooting the victim’s phones—using an exploit that gains full privileges in the device’s operating system—a hacker could access those stored login details and send them off to his or her command-and-control server. Alternatively, they suggest hackers could trick car owners into downloading altered versions of the connected car apps that include malicious code that siphons off their login details. Or thieves could infect phones with malware that performs an “overlay” attack: When the car app launches, the malware would detect it loading and preempt it with a fake interface that steals and transmits the user’s credentials. A hacker could even load the malware with multiple overlays, so that it’s ready to spoof any connected car app the victim loads. “If I were an attacker, I would overlay all the connected car apps and just steal all the apps’ credentials,” says Chebyshev.

Buckle Up

The researchers say they’ve reported the security issues they’re highlighting to several of the affected car companies, and are still informing others. But they also note that the problems they’re pointing out aren’t security bugs, so much as a lack of safeguards. Encrypting or hashing the credentials stored on the device, adding two-factor authentication or fingerprint authentication, or creating integrity checks that the apps would perform to see if they’ve been altered to include malicious code would all go a long way toward mediating the problem.

It’s not the first time that a lack of safeguards in connected car apps has come back to bite automakers—nor is the problem entirely confined to Android phones. Security researcher Samy Kamkar showed in 2015 that he could use a small piece of hardware hidden on a car to wirelessly intercept credentials from iOS apps like GM’s Onstar, Chrysler’s UConnect, Mercedes-Benz mbrace, and BMW’s Remote. Kamkar’s attack similarly allowed him to remotely locate those cars, unlock them, and in some cases start their ignitions. With that method, “there would be no warnings; your credentials would be stolen and reusable by the attacker without any phone modifications,” says Kamkar, contrasting his attack with the Android hacks suggested by Kaspersky. “But it’s nonetheless interesting to see that when a phone is compromised now, so many other areas of your life can be taken.”

As connected cars gain features, the Kaspersky researchers argue, the need to lock down the apps that control those features will only grow. “Maybe today we can open the car without triggering the alarm, but these functionalities are only the beginning,” says Kaspersky researcher Mikhail Kuzin. “Car manufacturers will add new features to make our lives more convenient. To prevent more attacks in the future, we need to think about this now.”